Canada: Doing Business In Canada 2019 - Privacy And Anti-Spam Laws

Last Updated: July 9 2019
Article by Fasken Martineau

Privacy Law

The protection of personal information in Canada is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and by substantially similar legislation in certain provincial jurisdictions.


Defining Personal Information

Personal information is broadly defined in PIPEDA as "information about an identifiable individual." Such information can include, among other things, a person's name, address, phone number, age, sex, ethnicity, religion, education, and health and financial information. Certain government-provided information is also considered personal, such as a person's social insurance number, provincial health insurance plan number, driver's licence number, and passport number.

Application of PIPEDA

In general terms, PIPEDA applies to an organization's collection, use, or disclosure of personal information in the course of commercial activities. It also applies to the personal information of employees when it is collected, used, or disclosed in connection with the operation of a federal work, undertaking, or business.

PIPEDA does not apply to the collection, use, or disclosure of employees' personal information where individuals are employees of organizations under provincial jurisdiction (i.e., organizations that are not federal works, undertakings, or businesses). However, the private sector privacy legislation in British Columbia, Alberta, and Québec does apply to employees' personal information. Consideration must also be given to other statutory and common law sources of privacy law obligations in the workplace and in certain industry sectors (e.g., health care, in respect of personal health information).

The general principles of PIPEDA are:

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual access
  • Challenging compliance

PIPEDA and Your Business

Knowledge and Consent

Informed consent is the guiding principle behind PIPEDA. Individuals should be made aware of the purposes for the collection, use, or disclosure of their personal information, and they should have the right to either consent to or refuse such action. Consent is valid only if it is reasonable to expect that the affected individual would understand the "nature, purpose, and consequences" of the collection, use, or disclosure of the personal information to which he or she is granting access.

There are certain exceptions to the consent requirement. For example, there is a consent exemption available for information collection where such collection is for the benefit of the individual in question and consent cannot be obtained in a timely way or where the information is "publicly available" (the scope of which is narrowly prescribed by the regulation).

Business Transactions

It is often necessary for organizations to collect, use, or disclose personal information, including employees' personal information, in relation to due diligence and closing a business transaction.

PIPEDA permits these activities without consent, provided that:

The organization has entered into an agreement that requires the recipient to (a) use the information for the sole purpose of the transaction, (b) protect the information, or (c) return or destroy the information if the transaction does not proceed.

The personal information is necessary to determine whether or not to proceed with the transaction and, if a decision is made to proceed, to complete the transaction.

For completed transactions, the organization must enter into an agreement that requires it to (a) use and disclose the information for the sole purposes for which it was collected, used, or disclosed prior to the transaction; (b) protect the information; and (c) give effect to any withdrawal of consent.

The information must be necessary for carrying on the activity that was the object of the transaction, and one of the parties must notify the individuals within a reasonable time of the transaction and disclosure.

The above exemption does not apply if the transaction is for the primary purpose of, or results in, the purchase (or other acquisition), sale, disposition, or lease of personal information. The exemption codifies common practice and is modelled on similar provisions in British Columbia and Alberta privacy laws.

Outsourcing of Data Processing to the United States

Canadian corporations may outsource certain data processing activities, like client billing, to a US parent corporation or a third-party processing company located within the United States or another jurisdiction. Although PIPEDA does not prohibit the outsourcing of data processing activities, it does require that the Canadian organization continues to be accountable for the personal information even though such information has been transferred to a third party for processing.

In addition, the Canadian organization will have to comply with two requirements imposed by the Office of the Privacy Commissioner of Canada (the "commissioner"). First, as with all third-party processing (whether it takes place in or outside of Canada), the organization must protect the confidentiality and security of the personal information through either implementing adequate contractual and other safeguards between the organization and the parent corporation (or third-party processor) or through ensuring that the subsidiary and parent corporations are governed by the same privacy policy that imposes the same privacy requirements on both entities. Second, the Canadian subsidiary must notify the affected individuals if their personal information will be stored, used, or disclosed in a jurisdiction outside of Canada and that the information may be accessible under the laws of the relevant jurisdiction. Additional requirements may be applicable in respect of certain types of information and pursuant to provincial privacy laws.

Breach Notification and Record Keeping

Pursuant to provisions that came into effect on November 1, 2018, PIPEDA includes a mandatory requirement for organizations to give notice to affected individuals and to the commissioner about data breaches under certain circumstances.

Section 10.1 of PIPEDA requires organizations to notify individuals about (unless prohibited by law), and to report to the commissioner, all breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to an individual."

PIPEDA defines "significant harm" as including, among other harms, humiliation, damage to an individual's reputation or relationships, and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.

The notice to individuals and the report to the commissioner must be given in the prescribed form "as soon as is feasible" after it is determined that a breach occurred. The commissioner may publish information about such notices if it determines that it would be in the public interest to do so.

Pursuant to the Breach of Security Safeguards Regulations under PIPEDA, the notice to an individual must contain certain information, including a description of (a) the circumstances of the breach, (b) the personal information that is the subject of the breach, (c) the steps taken by the organization to reduce the harm that could result, and (d) the steps the individual can take to reduce or mitigate the harm. The notice must be conspicuous and given directly to the individual except in certain circumstances where indirect notice (e.g., posting to a website) may be permitted.

The report to the commissioner must contain certain information, including the number of individuals affected, contact information for someone who can answer the commissioner's questions, and a description of (a) the circumstances of the breach, (b) the personal information that is the subject of the breach, (c) the steps taken by the organization to reduce the harm that could result, and (d) the steps the organization has taken to notify the affected individuals. The report may be sent by "any secure means of communication" and may be updated with new information as the organization becomes aware of it.

Where notice is given to individuals, Section 10.2 of PIPEDA requires organizations to notify other organizations (e.g., credit bureaus) and government agencies if such notice could reduce the risks or mitigate the harm. Consent is not required for such disclosures.

Section 10.3 of PIPEDA requires organizations, in accordance with the prescribed requirements, to keep and maintain a record of every breach of safeguards involving personal information under their control. Pursuant to Section 6 of the Breach of Security Safeguards Regulations, these records must be maintained for 24 months after the day on which the organization determines the breach happened. The records must also contain the information necessary to allow the commissioner to verify compliance with the reporting and notification requirements under Section 10.1 of PIPEDA.

In addition, upon request, organizations must provide the commissioner with such records. The commissioner may publish information from such records if it would be in the public interest. There is no threshold associated with the record-keeping obligation; a record of all breaches of security safeguards must be kept, irrespective of whether or not they gave rise to a real risk of significant harm. Nor is there any threshold before an organization would be required to provide its "breach file" to the commissioner.

Provincial Legislation

The provinces of Québec, Alberta, and British Columbia have enacted privacy legislation that is substantially similar to PIPEDA, although it is not limited to organizations' commercial activities. As a result, the provincial legislation may apply to the collection, use, or disclosure of personal information within those jurisdictions.

Anti-Spam Law

Sending commercial electronic messages (CEMs) to and from Canada and installing computer programs on systems in Canada is primarily governed by a statute commonly known as Canada's Anti-Spam Law (CASL) and the regulations pursuant to it.

On July 1, 2014, most of CASL and its regulations came into force. The balance of the law came into force in January 2015 (with the exception of a section on the private right of action to sue for a violation of CASL, whose scheduled commencement in 2017 was suspended).


A CEM is defined broadly in CASL as "an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that (a) offers to purchase, sell, barter, or lease a product, goods, a service, land, or an interest or right in land; (b) offers to provide a business, investment, or gaming opportunity; (c) advertises or promotes anything referred to in paragraph (a) or (b); or (d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c) or who intends to do so."

Requests for permission to send CEMs are also deemed to be CEMs, so organizations must carefully consider CASL requirements before sending a message to request consent to send CEMs.

Unlike other anti-spam laws, including the US CAN-SPAM Act, CASL is an opt-in regime. With limited exceptions, CASL prohibits the sending of a CEM unless prior express or implied consent exists. In addition, prescribed contact information and an unsubscribe mechanism must be included in each CEM.

Express consent must be obtained in a prescribed form under CASL. Implied consent is limited to certain enumerated categories, such as "existing business relationships" as defined in the legislation.

Computer Programs

In general terms, CASL prohibits installing or causing to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, causing an electronic message to be sent from that computer system without the express consent of the owner or an authorized user of the computer system or in accordance with a court order.

This prohibition applies if the computer system is located in Canada at the relevant time or if the person is either in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when the direction is given.

Additional notice and consent requirements and other obligations apply in respect of programs that perform certain enumerated functions that the person who seeks express consent knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system, such as collecting personal information stored on the computer system.

Consequences for Violations of CASL

CASL violations can lead to significant monetary penalties (up to $10 million for organizations), directors' and officers' liability, and extended liability for those involved in committing the violation.

Pursuant to the CASL regulation originally scheduled to come into force on July 1, 2017, organizations would have also faced the prospect of civil litigation (including class action litigation) and statutory damages in respect of CASL violations. The commencement of this private right of action was suspended pending further government review.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions